Critical Flaw in Open Source Package Imperils Millions of AI Agents
▼ Summary
– A critical vulnerability in Starlette, an open-source ASGI framework with 325 million weekly downloads, allows hackers to breach servers and steal sensitive data and credentials.
– The flaw, tracked as CVE-2026-48710 and named BadHost, is trivial to exploit and affects Starlette versions before 1.0.1, released Friday.
– BadHost threatens millions of servers running MCP (model context protocol), which store credentials for AI agents to access external resources like databases and email.
– The vulnerability bypasses path-based authorization via a single character injected into the HTTP Host header, impacting FastAPI and other Python AI tools like vLLM, LiteLLM, and MCP servers.
– Despite a severity rating of 7 out of 10, researchers say this understates the threat, with X41 D-Sec calling it “critical severity” and releasing an online scanner to check server vulnerability.
Millions of AI agents and related tools worldwide are facing a serious security threat due to a newly discovered vulnerability that could let hackers infiltrate the servers running them and steal sensitive data, including credentials for third-party accounts. A security researcher has raised the alarm about this flaw, which is trivial to exploit and exposes a vast number of systems.
The vulnerability resides in Starlette, an open source framework that its developer reports receives 325 million downloads each week. Thousands of other open source projects are also at risk because they rely on Starlette to function. This framework implements the ASGI (asynchronous server gateway interface), which enables efficient handling of large numbers of simultaneous requests. Starlette serves as the foundation for FastAPI and many other widely used frameworks for building services in Python applications, along with numerous additional tools.
At the core of the issue is how ASGI, and by extension Starlette, interact with servers running the MCP (model context protocol). MCP allows AI agents from major providers to access external resources such as user databases, email and calendar accounts, and a wide array of other systems. To connect with these external services, MCP servers store credentials for each one, making them high-value targets for attackers.
The vulnerability, identified as CVE-2026-48710 and dubbed BadHost, is straightforward to exploit and affects most systems that are not protected by a properly configured firewall. In addition to FastAPI, other widely used packages like vLLM and LiteLLM are also impacted. BadHost affects all Starlette versions prior to 1.0.1, which was released on Friday.
“A single character injected into the HTTP Host header bypasses path-based authorization in Starlette, the routing core of FastAPI,” researchers from Secwest explained. “Through FastAPI, this primitive (now tracked as CVE-2026-48710 and branded BadHost by the discoverers) reaches a large segment of the Python AI tooling ecosystem: vLLM (where the bug was discovered), LiteLLM, Text Generation Inference, most OpenAI-shim proxies, MCP servers, agent harnesses, eval dashboards, and model-management UIs.”
BadHost carries a severity rating of 7 out of 10, but Secwest argues that this classification “materially understates” the danger it poses to users of other applications that depend on Starlette. The security firm X41 D-Sec, which discovered the flaw, describes it as having “critical severity.” X41 D-Sec has partnered with fellow security firm Nemesis to create an online scanner that can check whether a given server is vulnerable.
(Source: Ars Technica)